rule MacOS_Exploit_Log4j_75a13888 {
    meta:
        author = "Elastic Security"
        id = "75a13888-7650-4ef3-adec-15378c8479bd"
        fingerprint = "cd06db6f5bebf0412d056017259b5451184d5ba5b2976efd18fa8f96dba6a159"
        creation_date = "2021-12-13"
        last_modified = "2022-07-22"
        threat_name = "MacOS.Exploit.Log4j"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "macos"
    strings:
        $jndi1 = "jndi.ldap.LdapCtx.c_lookup"
        $jndi2 = "logging.log4j.core.lookup.JndiLookup.lookup"
        $jndi3 = "com.sun.jndi.url.ldap.ldapURLContext.lookup"
        $exp1 = "Basic/Command/Base64/"
        $exp2 = "java.lang.ClassCastException: Exploit"
        $exp3 = "WEB-INF/classes/Exploit"
        $exp4 = "Exploit.java"
    condition:
        2 of ($jndi*) and 1 of ($exp*)
}

